CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Provisioning VolP wireless networks with security

Thesis (M. Tech.) - Central University of Technology, Free State, 200

Protection in commodity monolithic operating systems

This dissertation suggests and partially demonstrates that it is feasible to retrofit real privilege separation within commodity operating systems by "nesting" a small memory management protection domain inside a monolithic kernel's single-address space: all the while allowing both domains to operate at the same hardware privilege level. This dissertation also demonstrates a microarchitectural return-integrity protection domain that efficiently asserts dynamic "return-to-sender" semantics for all operating system return control-flow operations. Employing these protection domains, we provide mitigations to large classes of kernel attacks such as code injection and return-oriented programming and deploy information protection policies that are not feasible with existing systems. Operating systems form the foundation of information protection in multiprogramming environments. Unfortunately, today's commodity operating systems employ monolithic kernel design, where any single exploit in the vast code base undermines all information protection in the system because all kernel code operates with full supervisor privileges, meaning that even perfectly secure applications are vulnerable. This dissertation explores an approach that retrofits fundamental information protection design principles into commodity monolithic operating systems, the aim of which is a micro-evolution of commodity system design that incrementally decomposes monolithic operating systems from the ground up, thereby applying microkernel-like security properties for billions of users worldwide. The key contribution is the creation of a new operating system organization, the Nested Kernel Architecture, which "nests" a new, efficient intra-kernel memory isolation mechanism into a traditional monolithic operating system design. Using the Nested Kernel Architecture we introduce write-protection services for kernel developers to deploy security policies in ways not possible in current systems—while greatly reducing the trusted computing base—and demonstrate the value of these services by deploying three special data protection policies. Overall, the Nested Kernel Architecture demonstrates practical in-place protections that require only minor code modifications with minimal run- time overheads

Defeating Code-Reuse Attacks with Binary Instrumentation

La programmation orientée retour (ROP) est une technique par laquelle un attaquant peut introduire un comportement arbitraire dans un programme vulnérable. ROP est actuellement l’un des moyens les plus efficaces pour contourner les dispositifs de protection modernes. Ce type d’attaque a connu un essor phénoménal au cours des cinq dernières années. Les techniques utilisées pour se protéger contre ce type d’exploit génèrent un taux de faux négatif élevé car elles sont facilement contournables. De plus, elles ont tendance à ajouter une surcharge importante sur le programme qu’elles protègent. Dans la première partie de ce travail, nous avons étudié ces solutions proposées ou utilisées pour détecter ou atténuer les attaques ROP. Dans la deuxième partie, nous présentons une nouvelle approche pour détecter les attaques ROP lors de l’exécution. Cette partie vise à présenter nos Indicateurs de Compromis (IOC) qui pourraient être utilisés pour améliorer le taux de détection des attaques RDP. Nous avons également proposé une technique de mesure permettant de mesurer ces indicateurs lors de l’exécution en utilisant des techniques d’instrumentation dynamique de binaires (Dynamic Binary Instrumentation). Nos indicateurs proposés essaient d’identifier une attaque au moment de l’exécution en vérifiant la présence de certaines caractéristiques. Cette approche permet de détecter les attaques ROP sans compter sur toute autre information complémentaire comme le code source ou le support du compilateur. La dernière partie de ce travail couvre le sujet de la phase expérimentale, plus précisément, le prototype réalisé dans le but de prouver l’efficacité de nos indicateurs proposés ainsi que la technique de mesure proposée. Les résultats de cette phase expérimentale montrent que seuls les deux premiers indicateurs sont capables de détecter les attaques ROP. ----------ABSTRACT: Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. It is presently one of the most effective ways to bypass modern protection mechanisms such as Data Execution Prevention (DEP) which prevents attackers from executing the malicious code already injected into the memory. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other attacks, reaches the Turing completeness. The tremendous success of ROP attacks made the headlines in the cybersecurity space, they became one of the top security concerns and one of the most powerful cross-platform weapons. Several efforts have been undertaken to study this threat and to propose better defence mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially implemented. Furthermore, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected program. The first part of this research work aims at providing an in-depth analysis of the currently available anti-ROP solutions (deployed and proposed), focusing on inspecting their defense logic and summarizing their weaknesses and problems. The second part of this work aims at introducing our proposed Indicators Of Compromise (IOC) that could be used to improve the detection rate of ROP attacks. The three suggested indicators could detect these attacks at run-time by checking the presence of some futures during the execution of the targeted program. We also proposed a measurement technique that allows measuring these indicators at run-time. The last part of this work covers the subject of the experimental phase. More specifically, the Proof of Concept performed with the objective of proving the effectiveness of our proposed indicators, as well as the proposed measurement technique. The results of this experimental phase show that only the first two indicators are able to detect ROP attacks. Another important finding was about the non-expected ROP features discovered and visualized during the experiment. These features could be used to strengthen our indicators in future works

Automating Cyberdeception Evaluation with Deep Learning

A machine learning-based methodology is proposed and implemented for conducting evaluations of cyberdeceptive defenses with minimal human involvement. This avoids impediments associated with deceptive research on humans, maximizing the efficacy of automated evaluation before human subjects research must be undertaken. Leveraging recent advances in deep learning, the approach synthesizes realistic, interactive, and adaptive traffic for consumption by target web services. A case study applies the approach to evaluate an intrusion detection system equipped with application-layer embedded deceptive responses to attacks. Results demonstrate that synthesizing adaptive web traffic laced with evasive attacks powered by ensemble learning, online adaptive metric learning, and novel class detection to simulate skillful adversaries constitutes a challenging and aggressive test of cyberdeceptive defenses